Updates from: 08/14/2022 01:04:39
Service Microsoft Docs article Related commit history on GitHub Change details
v1.0 Appconsentapprovalroute List Appconsentrequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/appconsentapprovalroute-list-appconsentrequests.md
GET /identityGovernance/appConsent/appConsentRequests
``` ## Optional query parameters
-This method supports theΓÇ»`$select`, `$skip`, `$top`, `$filter`, and `$orderby` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+This method supports theΓÇ»`$select`, `$skip`, `$top`, `$filter` (`eq`), and `$orderby` OData query parameters to help customize the response. You can also apply `$filter` (`eq`) on the collection of objects in the**userConsentRequests** relationship. For general information, see [OData query parameters](/graph/query-parameters).
## Request headers |Name|Description|
Do not supply a request body for this method.
If successful, this method returns a `200 OK` response code and a collection of [appConsentRequest](../resources/appconsentrequest.md) objects in the response body.
-## Example 1: List all appConsentRequests
+## Examples
-### Request
+### Example 1: List all appConsentRequests
+
+#### Request
# [HTTP](#tab/http) <!-- {
GET https://graph.microsoft.com/beta/identityGovernance/appConsent/appConsentReq
-### Response
+#### Response
>**Note:** The response object shown here might be shortened for readability. <!-- { "blockType": "response",
HTTP/1.1 200 OK
Content-Type: application/json {
- "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/appConsent/appConsentRequests",
- "@odata.count": 1,
- "value": [
- {
- "id": "af330b30-dd59-4482-a848-0fd81b0438ed",
- "appId": "3ca5f23f-94b4-4930-aec9-b8ca0f060e68",
- "appDisplayName": "Moodle",
- "consentType": "Dynamic",
- "pendingScopes": [],
- "userConsentRequests": []
- }
- ]
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/appConsent/appConsentRequests",
+ "@odata.count": 1,
+ "value": [
+ {
+ "id": "7322e5f3-0f15-4eb8-9e82-2029e8622f5d",
+ "appId": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",
+ "appDisplayName": "Graph Explorer",
+ "consentType": "Dynamic",
+ "pendingScopes": [
+ {
+ "displayName": "AccessReview.Read.All"
+ },
+ {
+ "displayName": "openid"
+ },
+ {
+ "displayName": "profile"
+ },
+ {
+ "displayName": "offline_access"
+ }
+ ],
+ "userConsentRequests@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/appConsent/appConsentRequests('7322e5f3-0f15-4eb8-9e82-2029e8622f5d')/userConsentRequests",
+ "userConsentRequests": []
+ }
+ ]
} ```
-## Example 2: List all appConsentRequests with at least one userConsentRequest whose status is InProgress
+### Example 2: List all appConsentRequests with at least one userConsentRequest whose status is InProgress
-### Request
+#### Request
# [HTTP](#tab/http) <!-- {
GET https://graph.microsoft.com/beta/identityGovernance/appConsent/appConsentReq
-### Response
+#### Response
+
+The following is an example of the response. The response object includes all **appConsentRequest** objects that have at least one **userConsentRequest** that's `InProgress`, but doesn't expand the related **userConsentRequests** relationship.
+ >**Note:** The response object shown here might be shortened for readability. <!-- { "blockType": "response",
Content-Type: application/json
"@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/appConsent/appConsentRequests", "@odata.count": 1, "value": [
- {
- "id": "af330b30-dd59-4482-a848-0fd81b0438ed",
- "appId": "3ca5f23f-94b4-4930-aec9-b8ca0f060e68",
- "appDisplayName": "Moodle",
- "consentType": "Dynamic",
- "pendingScopes": [],
- "userConsentRequests": []
- }
- ]
+ {
+ "id": "7322e5f3-0f15-4eb8-9e82-2029e8622f5d",
+ "appId": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",
+ "appDisplayName": "Graph Explorer",
+ "consentType": "Dynamic",
+ "pendingScopes": [
+ {
+ "displayName": "AccessReview.Read.All"
+ },
+ {
+ "displayName": "openid"
+ },
+ {
+ "displayName": "profile"
+ },
+ {
+ "displayName": "offline_access"
+ }
+ ],
+ "userConsentRequests@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/appConsent/appConsentRequests('7322e5f3-0f15-4eb8-9e82-2029e8622f5d')/userConsentRequests",
+ "userConsentRequests": []
+ }
+ ]
} ```
v1.0 Appconsentrequest Filterbycurrentuser https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/appconsentrequest-filterByCurrentUser.md
The following table shows the parameters that can be used with this function.
|on|consentRequestFilterByCurrentUserOptions|Filter to query appConsentRequest objects for which the current user is a reviewer. Allowed value is `reviewer`. Required.| ## Query parameters
-This function requires theΓÇ»`$filter` OData query parameter to return a collection of [userConsentRequest](../resources/userconsentrequest.md) objects for which the status is `InProgress`. For general information, see [OData query parameters](/graph/query-parameters).
+This function *requires* theΓÇ»`$filter` (`eq`) OData query parameter to return a collection of [userConsentRequest](../resources/userconsentrequest.md) objects for which the status is `InProgress`. The function also supports the `$select` query parameter. For general information, see [OData query parameters](/graph/query-parameters).
## Request headers |Name|Description|
Do not supply a request body for this method.
If successful, this method returns a `200 OK` response code and a collection of [appConsentRequest](../resources/appconsentrequest.md) objects in the response body.
-## Example
+## Example 1: List all appConsentRequests
### Request
HTTP/1.1 200 OK
Content-Type: application/json {
- "@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(appConsentRequest)",
- "@odata.count": 1,
- "value": [
- {
- "id": "af330b30-dd59-4482-a848-0fd81b0438ed",
- "appId": "3ca5f23f-94b4-4930-aec9-b8ca0f060e68",
- "appDisplayName": "Moodle",
- "consentType": "Dynamic",
- "pendingScopes": [],
- "userConsentRequests": []
- }
- ]
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(appConsentRequest)",
+ "@odata.count": 1,
+ "value": [
+ {
+ "@odata.type": "#microsoft.graph.appConsentRequest",
+ "id": "7322e5f3-0f15-4eb8-9e82-2029e8622f5d",
+ "appId": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",
+ "appDisplayName": "Graph Explorer",
+ "consentType": "Dynamic",
+ "pendingScopes": [
+ {
+ "displayName": "AccessReview.Read.All"
+ },
+ {
+ "displayName": "openid"
+ },
+ {
+ "displayName": "profile"
+ },
+ {
+ "displayName": "offline_access"
+ }
+ ],
+ "userConsentRequests": []
+ }
+ ]
} ```
v1.0 Appconsentrequest Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/appconsentrequest-get.md
If successful, this method returns a `200 OK` response code and an [appConsentRe
} --> ``` http
-GET https://graph.microsoft.com/beta/identityGovernance/appConsent/appConsentRequests/af330b30-dd59-4482-a848-0fd81b0438ed
+GET https://graph.microsoft.com/beta/identityGovernance/appConsent/appConsentRequests/7322e5f3-0f15-4eb8-9e82-2029e8622f5d
``` # [C#](#tab/csharp)
HTTP/1.1 200 OK
Content-Type: application/json {
- "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/appConsent/appConsentRequests/$entity",
- "id": "af330b30-dd59-4482-a848-0fd81b0438ed",
- "appId": "3ca5f23f-94b4-4930-aec9-b8ca0f060e68",
- "appDisplayName": "Moodle",
- "consentType": "Dynamic",
- "pendingScopes": [],
- "userConsentRequests": []
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/appConsent/appConsentRequests/$entity",
+ "id": "7322e5f3-0f15-4eb8-9e82-2029e8622f5d",
+ "appId": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",
+ "appDisplayName": "Graph Explorer",
+ "consentType": "Dynamic",
+ "pendingScopes": [
+ {
+ "displayName": "AccessReview.Read.All"
+ },
+ {
+ "displayName": "openid"
+ },
+ {
+ "displayName": "profile"
+ },
+ {
+ "displayName": "offline_access"
+ }
+ ],
+ "userConsentRequests@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/appConsent/appConsentRequests('7322e5f3-0f15-4eb8-9e82-2029e8622f5d')/userConsentRequests",
+ "userConsentRequests": []
} ```
v1.0 Appconsentrequest List Userconsentrequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/appconsentrequest-list-userconsentrequests.md
GET /identityGovernance/appConsent/appConsentRequests/{id}/userConsentRequests
``` ## Optional query parameters
-This method supports theΓÇ»`$select`, `$skip`, `$top`, `$filter`, and `$orderby` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+This method supports theΓÇ»`$select`, `$skip`, `$top`, `$filter` (`eq`), and `$orderby` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
## Request headers |Name|Description|
v1.0 Authenticationmethod Resetpassword https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/authenticationmethod-resetpassword.md
+
+ Title: "passwordAuthenticationMethod: resetPassword"
+description: "Reset a user's password"
+ms.localizationpriority: medium
+++
+# passwordAuthenticationMethod: resetPassword
+
+Namespace: microsoft.graph
++
+Initiate a reset for the password associated with a [password authentication method](../resources/passwordauthenticationmethod.md) object. This can only be done by an administrator with appropriate permissions and cannot be performed on a user's own account.
+
+This flow writes the new password to Azure Active Directory and pushes it to on-premises Active Directory if configured using password writeback. The admin can either provide a new password or have the system generate one. The user is prompted to change their password on their next sign in.
+
+This reset is a long-running operation and will return a **Location** header with a link where the caller can periodically check for the status of the reset operation.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+> [!IMPORTANT]
+> The operation cannot be performed on a user's own account. Only an administrator with the appropriate permissions can perform this operation.
+
+|Permission type | Permissions (from least to most privileged) |
+|:|:-|
+| Delegated (work or school account) | UserAuthenticationMethod.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | Not supported. |
+
+For delegated scenarios where an admin is acting on another user, the admin needs one of the following [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles):
+
+* Global administrator
+* Privileged authentication administrator
+* Authentication administrator
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+POST /users/{id | userPrincipalName}/authentication/passwordMethods/{id}/resetPassword
+```
+
+## Request headers
+
+| Name | Description |
+|:--|:--|
+| Authorization | Bearer {token}. Required. |
+| Content-type | application/json. Required. |
+
+## Request body
+
+In the request body, provide a JSON object with the following parameters.
+
+| Parameter | Type | Description |
+|:-|:|:|
+|newPassword|String|The new password. Required for tenants with hybrid password scenarios. If omitted for a cloud-only password, the system returns a system-generated password. This is a unicode string with no other encoding. It is validated against the tenant's banned password system before acceptance, and must adhere to the tenant's cloud and/or on-premises password requirements.|
+
+## Response
+
+If successful, this method returns a `202 Accepted` response code and a **Location** header with a URL to check the status of the reset operation.
+
+If the caller did not submit a password, a Microsoft-generated password is provided in a JSON object in the response body.
+
+### Response headers
+
+| Name | Description |
+|:|:-|
+|Location | URL to call to check the status of the operation. Required.|
+|Retry-after | Duration in seconds. Optional.|
+
+## Examples
+
+### Example 1: User-submitted password
+
+The following example shows how to call this API when the caller submits a password.
+
+#### Request
+
+The following is an example of the request.
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "passwordauthenticationmethod_resetpassword_adminprovided"
+}-->
+
+```http
+POST https://graph.microsoft.com/beta/users/6ea91a8d-e32e-41a1-b7bd-d2d185eed0e0/authentication/passwordMethods/28c10230-6103-485e-b985-444c60001490/resetPassword
+Content-type: application/json
+
+{
+ "newPassword": "Cuyo5459"
+}
+```
+
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Java](#tab/java)
++++
+#### Response
+
+The following is an example of the response.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.entity"
+} -->
+
+```http
+HTTP/1.1 202 Accepted
+Content-type: application/json
+Location: https://graph.microsoft.com/beta/users/6ea91a8d-e32e-41a1-b7bd-d2d185eed0e0/authentication/operations/88e7560c-9ebf-435c-8089-c3998ac1ec51?aadgdc=DUB02P&aadgsu=ssprprod-a
+
+{}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "passwordAuthenticationMethod: resetPassword",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
+
+### Example 2: System-generated password
+
+The following example shows how to call this API when the caller does not submit a password.
+
+#### Request
+
+The following is an example of the request.
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "passwordauthenticationmethod_resetpassword_systemgenerated"
+}-->
+
+```http
+POST https://graph.microsoft.com/beta/users/6ea91a8d-e32e-41a1-b7bd-d2d185eed0e0/authentication/passwordMethods/28c10230-6103-485e-b985-444c60001490/resetPassword
+```
+
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Java](#tab/java)
++++
+#### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.entity"
+} -->
+
+```http
+HTTP/1.1 202 ACCEPTED
+Location: https://graph.microsoft.com/beta/users/6ea91a8d-e32e-41a1-b7bd-d2d185eed0e0/authentication/operations/77bafe36-3ac0-4f89-96e4-a4a5a48da851?aadgdc=DUB02P&aadgsu=ssprprod-a
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#microsoft.graph.passwordResetResponse",
+ "newPassword": "Cuyo5459"
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "passwordAuthenticationMethod: resetPassword",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
v1.0 Authenticationoperation Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/authenticationoperation-get.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Retrieve the properties and relationships of an [operation](../resources/operation.md) object. Currently these operations are generated by initiating a password reset using the [reset password](passwordauthenticationmethod-resetpassword.md) method. An operation object tells the caller about the current state of that password reset operation. Possible states include:
+Retrieve the properties and relationships of an [operation](../resources/operation.md) object. Currently these operations are generated by initiating a password reset using the [reset password](authenticationmethod-resetpassword.md) method. An operation object tells the caller about the current state of that password reset operation. Possible states include:
* NotStarted * Running
v1.0 Userconsentrequest Filterbycurrentuser https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/userconsentrequest-filterByCurrentUser.md
The following table shows the parameters that can be used with this function.
|on|consentRequestFilterByCurrentUserOptions|Filter to query userConsentRequest objects for an appConsentRequest object for which the current user is a reviewer. Allowed value is `reviewer`. Required.| ## Optional query parameters
-This function supports theΓÇ»`$filter` OData query parameter to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+This function supports theΓÇ»`$filter` and `$select` OData query parameters to help customize the response.For general information, see [OData query parameters](/graph/query-parameters).
## Request headers |Name|Description|
v1.0 Accessreviewinstancedecisionitem https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/accessreviewinstancedecisionitem.md
Represents an Azure AD [access review](accessreviewsv2-overview.md) decision on
| Property | Type | Description | | :| :- | :- | |accessReviewId|String|The identifier of the accessReviewInstance parent. Supports `$select`. Read-only.|
-|appliedBy|[userIdentity](../resources/useridentity.md)|The identifier of the user who applied the decision. Read-only.|
+|appliedBy|[userIdentity](../resources/useridentity.md)|The identifier of the user who applied the decision. `00000000-0000-0000-0000-000000000000` if the assigned reviewer hasn't applied the decision or it was automatically applied. Read-only.|
|appliedDateTime|DateTimeOffset|The timestamp when the approval decision was applied. The DatetimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Supports `$select`. Read-only.| |applyResult|String|The result of applying the decision. Possible values: `New`, `AppliedSuccessfully`, `AppliedWithUnknownFailure`, `AppliedSuccessfullyButObjectNotFound` and `ApplyNotSupported`. Supports `$select`, `$orderby`, and `$filter` (`eq` only). Read-only.| |decision|String|Result of the review. Possible values: `Approve`, `Deny`, `NotReviewed`, or `DontKnow`. Supports `$select`, `$orderby`, and `$filter` (`eq` only). |
Represents an Azure AD [access review](accessreviewsv2-overview.md) decision on
|recommendation|String|A system-generated recommendation for the approval decision based off last interactive sign-in to tenant. Recommend approve if sign-in is within thirty days of start of review. Recommend deny if sign-in is greater than thirty days of start of review. Recommendation not available otherwise. Possible values: `Approve`, `Deny`, or `NoInfoAvailable`. Supports `$select`, `$orderby`, and `$filter` (`eq` only). Read-only.| |resource|[accessReviewInstanceDecisionItemResource](../resources/accessreviewinstancedecisionitemresource.md)|Every decision item in an access review represents a principal's access to a resource. This property represents details of the resource. For example, if a decision item represents access of User "Bob" to Group "Sales" - The principal is Bob and the resource is "Sales". Resources can be of multiple types. See [accessReviewInstanceDecisionItemResource](../resources/accessreviewinstancedecisionitemresource.md). Read-only.| |resourceLink|String|A link to the resource. For example, `https://graph.microsoft.com/v1.0/servicePrincipals/c86300f3-8695-4320-9f6e-32a2555f5ff8`. Supports `$select`. Read-only.|
-|reviewedBy|[userIdentity](../resources/useridentity.md)| The identifier of the reviewer. Supports `$select`. Read-only.|
+|reviewedBy|[userIdentity](../resources/useridentity.md)| The identifier of the reviewer. `00000000-0000-0000-0000-000000000000` if the assigned reviewer hasn't reviewed. Supports `$select`. Read-only.|
|reviewedDateTime|DateTimeOffset| The timestamp when the review decision occurred. Supports `$select`. Read-only.| |principalResourceMembership|[decisionItemPrincipalResourceMembership](../resources/decisionItemPrincipalResourceMembership.md)| Every decision item in an access review represents a principal's membership to a resource. This property provides the details of the membership. For example, whether the principal has direct access or indirect access to the resource. Supports `$select`. Read-only.|
v1.0 Accessreviewreviewerscope https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/accessreviewreviewerscope.md
Title: "accessReviewReviewerScope resource type"
-description: "Represents who will review an access review."
+description: "Represents reviewers of an access review or user consent requests."
ms.localizationpriority: medium ms.prod: "governance"
Namespace: microsoft.graph
[!INCLUDE [accessreviews-disclaimer-v2](../../includes/accessreviews-disclaimer-v2.md)]
-The accessReviewReviewerScope defines who will review instances of an [accessReviewScheduleDefinition](accessreviewscheduledefinition.md). It is an OData query that allows reviewers to be specified both as a static list of users (that is, specific users, group owners, and group members) or dynamically in which every user is reviewed by their manager or by group owners. To create a self-review (where users review their own access), do not provide reviewers on [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) creation.
+The **accessReviewReviewerScope** defines who will review instances of an [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) or [user consent requests](consentrequests-overview.md).
+
+Reviewers can be specified as a static list of users (that is, specific users, group owners, and group members) or dynamically in which every user is reviewed by their manager, group or application owners. To create a self-review (where users review their own access) in Azure AD access reviews, the **reviewers** property of the [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) should be an empty collection.
Inherits from [accessReviewScope](../resources/accessreviewscope.md). ## Properties | Property | Type | Description | | :-| :- | :- |
-| query | String | The query specifying who will be the reviewer. See table for examples. |
+| query | String | The query specifying who will be the reviewer. |
| queryType | String | The type of query. Examples include `MicrosoftGraph` and `ARM`. | | queryRoot | String | In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query, for example, `./manager`, is specified. Possible value: `decisions`. |
v1.0 Adminconsentrequestpolicy https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/adminconsentrequestpolicy.md
Title: "adminConsentRequestPolicy resource type"
-description: "Specifies the policy by which consent requests can be created and managed for the entire tenant."
+description: "Represents the policy for enabling or disabling the Azure AD admin consent workflow."
ms.localizationpriority: medium ms.prod: "governance"
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Specifies the policy by which consent requests are created and managed for the entire tenant. There is a single **adminConsentRequestPolicy** per tenant.
-
-The **adminConsentRequestPolicy** provides additional settings when creating a consent request, to control the feature behavior when starting a consent request.
+Represents the policy for enabling or disabling the Azure AD admin consent workflow. The admin consent workflow allows users to request access for apps that they wish to use and that require admin authorization before users can use the apps to access organizational data. There is a single **adminConsentRequestPolicy** per tenant.
## Methods |Method|Return type|Description|
v1.0 Appconsentrequest https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/appconsentrequest.md
Title: "appConsentRequest resource type"
-description: "A request that represents a collection of userConsentRequest objects for a specific application."
+description: "Represents the request that a user creates when they request the tenant admin for consent to access an app or to grant permissions to an app."
ms.localizationpriority: medium ms.prod: "governance"
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-A collection of [userConsentRequest](../resources/userconsentrequest.md) objects for a specific application.
+Represents the request that a user creates when they request the tenant admin for consent to access an app or to grant permissions to an app. The details include the app that the user wants access to be granted to on their behalf and the permissions that the user is requesting.
+
+The user can create a consent request when an app or a permission requires admin authorization and only when the [admin consent workflow](adminconsentrequestpolicy.md) is enabled.
## Methods |Method|Return type|Description|
A collection of [userConsentRequest](../resources/userconsentrequest.md) objects
## Relationships |Relationship|Type|Description| |:|:|:|
-|userConsentRequests|[userConsentRequest](../resources/userconsentrequest.md) collection|A list of pending user consent requests.|
+|userConsentRequests|[userConsentRequest](../resources/userconsentrequest.md) collection|A list of pending user consent requests. Supports `$filter` (`eq`).|
## JSON representation The following is a JSON representation of the resource.
v1.0 Approvalstep https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/approvalstep.md
In [userConsentRequests](../resources/userconsentrequest.md), the approval deci
|id|String|The identifier of the step associated with an approval object. Read-only.| |justification|String|The justification associated with the approval step decision.| |reviewResult|String|The result of this approval record. Possible values include: `NotReviewed`, `Approved`, `Denied`.|
-|reviewedBy|[userIdentity](useridentity.md) collection | The identifier of the reviewer. Read-only.|
+|reviewedBy|[userIdentity](useridentity.md) collection | The identifier of the reviewer. `00000000-0000-0000-0000-000000000000` if the assigned reviewer hasn't reviewed. Read-only.|
|reviewedDateTime|DateTimeOffset|The date and time when a decision was recorded. The date and time information uses ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only.| |status|String|The step status. Possible values: `InProgress`, `Initializing`, `Completed`, `Expired`. Read-only.|
v1.0 Consentrequests Overview https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/consentrequests-overview.md
Title: "Azure Active Directory consent requests"
-description: "Use Azure AD consent requests to manage the request workflow for users attempting to access apps that require admin consent."
+description: "Use the consent request APIs to configure the consent request workflow and to manage consent requests for users attempting to access apps that require admin consent."
ms.localizationpriority: medium ms.prod: "governance"
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] - Azure Active Directory (Azure AD) consent requests help you manage the request workflow for users attempting to access apps that require admin approval.
-To allow users to request access or admin consent for applications they're unauthorized to grant consent to themselves, first enable the consent request workflow.
+Before an app can be used to access any data in your organization, the admin must consent for it to be used in the tenant. In addition, before a user can grant a consented application specific permissions to act on their behalf, the admin must also consent for users to be allowed to consent to those permissions for the app. Consent management is one way that Azure AD helps organizations to enforce application and data security.
+
+The Azure AD consent workflow allows users to request the tenant admins to grant consent to apps that require admin approval. The consent requests APIs in Microsoft Graph allows admin to configure the consent workflow and track consent requests for both apps and users.
>[!NOTE] >The current APIs are limited to configuring the workflow and reading the list of requests. At this time, there arenΓÇÖt any methods available to programmatically approve or deny a request. However, the contents of the request can be used to recreate a URL which can be used to grant admin consent and approve a request.
-The consent request resource types include:
+
+## Configure the admin consent workflow
+
+The admin consent policy specifies whether users can request for admin consent for apps that require admin authorization for the tenant. Use the [adminConsentRequestPolicy](../resources/adminconsentrequestpolicy.md) resource type and its associated methods to configure the admin consent workflow as follows:
++ Enable or disable the consent workflow.++ Configure reviewers of admin consent requests.++ Configure how long a pending request is valid before it expires and the principals who are notified of pending requests.+
+## Retrieve app consent requests
+
+When a user requests for consent to use an app in the organization or to grant permissions to an app, they create a consent request for the app. App consent requests are retrieved through the [appConsentRequest](../resources/appconsentrequest.md) resource type and its associated methods.
-* [adminConsentRequestPolicy](../resources/adminconsentrequestpolicy.md): Specifies the policy by which app consent requests can be created and managed for the entire tenant. There is a single **adminConsentRequestPolicy** per tenant.
-* [appConsentRequest](../resources/appconsentrequest.md): A request that represents a collection of **userConsentRequests** for a specific application.
-* [userConsentRequest](../resources/userconsentrequest.md): A request created by a user to use an app that requires admin consent to access.
-* [appConsentRequestScope](../resources/appconsentrequestscope.md): A resource that contains details of the dynamic permission scopes being requested for an application.
+You can:
++ Retrieve all app consent requests and the associated collection of user consent requests for the app. An app consent request may have one or more user consent requests representing multiple requests from the same or multiple users.++ Retrieve the permissions that the user has requested for the app on their behalf.++ Use `$filter` to match against pending requests.++ Retrieve the app consent requests for which the signed-in user is the creator of the request.
-## Methods
+## Retrieve user consent requests
-The following table lists the methods that you can use to interact with consent request resources.
+When a user requests for consent to use an app in the organization or to grant permissions to an app, they create a consent request for the tenant admin to allow them to use the app. User consent requests are retrieved through the [userConsentRequest](../resources/userconsentrequest.md) resource type and its associated methods.
-| Method | Return type |Description|
-|:|:--|:-|
-|[Get adminConsentRequestPolicy](../api/adminconsentrequestpolicy-get.md) | [adminConsentRequestPolicy](adminconsentrequestpolicy.md) collection | Read the properties of the [adminConsentRequestPolicy](adminconsentrequestpolicy.md). |
-|[Update adminConsentRequestPolicy](../api/adminconsentrequestpolicy-update.md) | [adminConsentRequestPolicy](adminconsentrequestpolicy.md) collection | Set configurations for the [adminConsentRequestPolicy](adminconsentrequestpolicy.md). |
-|[List appConsentRequests ](../api/appconsentapprovalroute-list-appconsentrequests.md) | [appConsentRequest](appconsentrequest.md) collection | Retrieve a collection of [appConsentRequest](appconsentrequest.md) objects and their properties. |
-|[Get appConsentRequest ](../api/appconsentrequest-get.md) | [appConsentRequest](appconsentrequest.md) collection | Read an [appConsentRequest](appconsentrequest.md) object. |
-|[appConsentRequests: filterByCurrentUser](../api/appconsentrequest-filterByCurrentUser.md) | [appConsentRequest](../resources/appconsentrequest.md) collection | Read the properties of [appConsentRequest](../resources/appconsentrequest.md) objects for which the current user is the reviewer and the status of the user consent request is `InProgress`. |
-|[Get userConsentRequest ](../api/userconsentrequest-get.md) | [userConsentRequest](userconsentrequest.md) collection | Read a [userConsentRequest](userconsentrequest.md) object for an [appConsentRequest](appconsentrequest.md). |
-|[List userConsentRequests ](../api/appconsentrequest-list-userconsentrequests.md) | [userConsentRequest](userconsentrequest.md) collection | Retrieve a collection of [userConsentRequest](userconsentrequest.md) objects for an [appConsentRequest](appconsentrequest.md). |
-|[userConsentRequest: filterByCurrentUser](../api/userconsentrequest-filterByCurrentUser.md) | [appConsentRequests](../resources/userconsentrequest.md) collection | Read the properties of [userConsentRequest](../resources/userconsentrequest.md) objects for an [appConsentRequest](appconsentrequest.md) for which the current user is the reviewer. |
+You can:
++ Retrieve the details about the user consent requests.++ Retrieve the stages of approval that the consent request went through. The approval process is currently a single-stage process.++ Retrieve the status of the approvals, whether pending or completed, and whether the reviewers decisions were to deny or approve the consent request. ## Role and delegated permission authorization checks
-The following directory roles are required for a calling user to manage the requests workflow or read the list of requests.
+The following directory roles are required for a calling application.
| Operation | Delegated permissions | Required directory role of the calling user | |:|:|:--|
-| Read | ConsentRequest.Read.All, ConsentRequest.ReadWrite.All | Global Administrator, Global Reader, Cloud App Administrator, and Application Administrator |
+| Read | ConsentRequest.Read.All, ConsentRequest.ReadWrite.All | Global Reader, Cloud App Administrator, Application Administrator, or Global Administrator |
## See also
v1.0 Passwordauthenticationmethod https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/passwordauthenticationmethod.md
A representation of a user's password. For security, the password itself will ne
|:-|:|:| |[List passwordAuthenticationMethods](../api/authentication-list-passwordmethods.md) | [passwordAuthenticationMethod](passwordauthenticationmethod.md) collection | Read the properties and relationships of all of this user's **passwordAuthenticationMethod** objects. | |[Get passwordAuthenticationMethod](../api/passwordauthenticationmethod-get.md) | [passwordAuthenticationMethod](passwordauthenticationmethod.md) | Read the properties and relationships of a **passwordAuthenticationMethod** object. |
-|[Reset password](../api/passwordauthenticationmethod-resetpassword.md)|None|Reset a user's password in the cloud and, if synced, on-premises.|
+|[Reset password](../api/authenticationmethod-resetpassword.md)|None|Reset a user's password in the cloud and, if synced, on-premises.|
## Properties | Property | Type | Description | |:-|:|:|
-|creationDateTime|DateTimeOffset|The date and time when this password was last updated. This property is currently not populated. Read-only. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|
+|createdDateTime|DateTimeOffset|The date and time when this password was last updated. This property is currently not populated. Read-only. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|
|id|String| The identifier of this password registered to this user. This is generally `28c10230-6103-485e-b985-444c60001490`. Read-only.| |password|String|For security, the password is always returned as `null` from a LIST or GET operation.|
v1.0 Userconsentrequest https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/userconsentrequest.md
Title: "userConsentRequest resource type"
-description: "A request created by a user to use an app that requires access to organizational data the user is unauthorized to grant consent to themselves."
+description: "Represents the details of the consent request a user creates when they request to access an app or to grant permissions to an app. The details include justification for requesting access, the status of the request, and the approval details."
ms.localizationpriority: medium ms.prod: "governance"
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-A [userConsentRequest](../resources/userconsentrequest.md) is created by a user when they are requesting access to an application which requires an admin authorization to access.
+Represents the details of the consent request a user creates when they request to access an app or to grant permissions to an app. The details include justification for requesting access, the status of the request, and the approval details.
+
+The user can create a consent request when an app or a permission requires admin authorization and only when the [admin consent workflow](adminconsentrequestpolicy.md) is enabled.
## Methods |Method|Return type|Description|
v1.0 Appconsentapprovalroute List Appconsentrequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/appconsentapprovalroute-list-appconsentrequests.md
GET /identityGovernance/appConsent/appConsentRequests
## Optional query parameters
-This method supports theΓÇ»`$select`, `$skip`, `$top`, `$filter`, and `$orderby` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+This method supports theΓÇ»`$select`, `$skip`, `$top`, `$filter` (`eq`), and `$orderby` OData query parameters to help customize the response. You can also apply `$filter` (`eq`) on the collection of objects in the**userConsentRequests** relationship. For general information, see [OData query parameters](/graph/query-parameters).
## Request headers
If successful, this method returns a `200 OK` response code and a collection of
## Examples
-### Request
+### Example 1: List all appConsentRequests
+#### Request
# [HTTP](#tab/http) <!-- {
GET https://graph.microsoft.com/v1.0/identityGovernance/appConsent/appConsentReq
-### Response
+#### Response
**Note:** The response object shown here might be shortened for readability. <!-- {
HTTP/1.1 200 OK
Content-Type: application/json {
- "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/appConsent/appConsentRequests",
- "@odata.count": 1,
- "value": [
- {
- "id": "af330b30-dd59-4482-a848-0fd81b0438ed",
- "appId": "3ca5f23f-94b4-4930-aec9-b8ca0f060e68",
- "appDisplayName": "Moodle",
- "pendingScopes": [],
- "userConsentRequests": []
- }
- ]
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/appConsent/appConsentRequests",
+ "@odata.count": 1,
+ "value": [
+ {
+ "id": "7322e5f3-0f15-4eb8-9e82-2029e8622f5d",
+ "appId": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",
+ "appDisplayName": "Graph Explorer",
+ "pendingScopes": [
+ {
+ "displayName": "AccessReview.Read.All"
+ },
+ {
+ "displayName": "openid"
+ },
+ {
+ "displayName": "profile"
+ },
+ {
+ "displayName": "offline_access"
+ }
+ ],
+ "userConsentRequests@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/appConsent/appConsentRequests('7322e5f3-0f15-4eb8-9e82-2029e8622f5d')/userConsentRequests",
+ "userConsentRequests": []
+ }
+ ]
} ```++
+### Example 2: List all appConsentRequests with at least one userConsentRequest whose status is InProgress
+
+#### Request
+
+<!-- {
+ "blockType": "request",
+ "name": "list_appconsentrequest_userconsentrequest_InProgress"
+}
+-->
+``` http
+GET https://graph.microsoft.com/v1.0/identityGovernance/appConsent/appConsentRequests?$filter=userConsentRequests/any (u:u/status eq 'InProgress')
+```
+
+#### Response
+
+The following is an example of the response. The response object includes all **appConsentRequest** objects that have at least one **userConsentRequest** that's `InProgress`, but doesn't expand the related **userConsentRequests** relationship.
+
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.appConsentRequest)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/appConsent/appConsentRequests",
+ "@odata.count": 1,
+ "value": [
+ {
+ "id": "7322e5f3-0f15-4eb8-9e82-2029e8622f5d",
+ "appId": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",
+ "appDisplayName": "Graph Explorer",
+ "consentType": "Dynamic",
+ "pendingScopes": [
+ {
+ "displayName": "AccessReview.Read.All"
+ },
+ {
+ "displayName": "openid"
+ },
+ {
+ "displayName": "profile"
+ },
+ {
+ "displayName": "offline_access"
+ }
+ ],
+ "userConsentRequests@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/appConsent/appConsentRequests('7322e5f3-0f15-4eb8-9e82-2029e8622f5d')/userConsentRequests",
+ "userConsentRequests": []
+ }
+ ]
+}
+```
v1.0 Appconsentrequest Filterbycurrentuser https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/appconsentrequest-filterbycurrentuser.md
The following table shows the parameters that can be used with this function.
## Query parameters
-This function requires theΓÇ»`$filter` OData query parameter to return a collection of [userConsentRequest](../resources/userconsentrequest.md) objects for which the status is `InProgress`. For general information, see [OData query parameters](/graph/query-parameters).
+This function *requires* theΓÇ»`$filter` (`eq`) OData query parameter to return a collection of [userConsentRequest](../resources/userconsentrequest.md) objects for which the status is `InProgress`. The function also supports the `$select` query parameter. For general information, see [OData query parameters](/graph/query-parameters).
## Request headers
HTTP/1.1 200 OK
Content-Type: application/json {
- "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(appConsentRequest)",
- "@odata.count": 1,
- "value": [
- {
- "id": "af330b30-dd59-4482-a848-0fd81b0438ed",
- "appId": "3ca5f23f-94b4-4930-aec9-b8ca0f060e68",
- "appDisplayName": "Moodle",
- "pendingScopes": [],
- "userConsentRequests": []
- }
- ]
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(appConsentRequest)",
+ "@odata.count": 1,
+ "value": [
+ {
+ "@odata.type": "#microsoft.graph.appConsentRequest",
+ "id": "7322e5f3-0f15-4eb8-9e82-2029e8622f5d",
+ "appId": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",
+ "appDisplayName": "Graph Explorer",
+ "pendingScopes": [
+ {
+ "displayName": "AccessReview.Read.All"
+ },
+ {
+ "displayName": "openid"
+ },
+ {
+ "displayName": "profile"
+ },
+ {
+ "displayName": "offline_access"
+ }
+ ],
+ "userConsentRequests": []
+ }
+ ]
} ```
v1.0 Appconsentrequest Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/appconsentrequest-get.md
If successful, this method returns a `200 OK` response code and an [appConsentRe
} --> ``` http
-GET https://graph.microsoft.com/v1.0/identityGovernance/appConsent/appConsentRequests/af330b30-dd59-4482-a848-0fd81b0438ed
+GET https://graph.microsoft.com/v1.0/identityGovernance/appConsent/appConsentRequests/7322e5f3-0f15-4eb8-9e82-2029e8622f5d
``` # [C#](#tab/csharp)
HTTP/1.1 200 OK
Content-Type: application/json {
- "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/appConsent/appConsentRequests/$entity",
- "id": "af330b30-dd59-4482-a848-0fd81b0438ed",
- "appId": "3ca5f23f-94b4-4930-aec9-b8ca0f060e68",
- "appDisplayName": "Moodle",
- "pendingScopes": [],
- "userConsentRequests": []
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/appConsent/appConsentRequests/$entity",
+ "id": "7322e5f3-0f15-4eb8-9e82-2029e8622f5d",
+ "appId": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",
+ "appDisplayName": "Graph Explorer",
+ "consentType": "Dynamic",
+ "pendingScopes": [],
+ "userConsentRequests@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/appConsent/appConsentRequests('7322e5f3-0f15-4eb8-9e82-2029e8622f5d')/userConsentRequests",
+ "userConsentRequests": []
} ```
v1.0 Appconsentrequest List Userconsentrequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/appconsentrequest-list-userconsentrequests.md
GET /identityGovernance/appConsent/appConsentRequests/{id}/userConsentRequests
## Optional query parameters
-This method supports theΓÇ»`$select`, `$skip`, `$top`, `$filter`, and `$orderby` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+This method supports theΓÇ»`$select`, `$skip`, `$top`, `$filter` (`eq`), and `$orderby` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
## Request headers
v1.0 Authentication List Passwordmethods https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/authentication-list-passwordmethods.md
+
+ Title: "List passwordMethods"
+description: "Retrieve a user's passwordAuthenticationMethod objects. This will return exactly one object, as a user can have exactly one password."
+ms.localizationpriority: medium
+++
+# List passwordMethods
+
+Namespace: microsoft.graph
+
+Retrieve a list of the passwords registered to a user, represented by a [passwordAuthenticationMethod](../resources/passwordauthenticationmethod.md) object. This will return exactly one object, as a user can have exactly one password. For security, the password itself will never be returned in the object and the **password** property is always `null`.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+### Permissions acting on self
+
+|Permission type | Permissions (from least to most privileged) |
+|:|:-|
+| Delegated (work or school account) | UserAuthenticationMethod.Read, UserAuthenticationMethod.ReadWrite |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | Not supported. |
+
+### Permissions acting on other users
+
+|Permission type | Permissions (from least to most privileged) |
+|:|:-|
+| Delegated (work or school account) | UserAuthenticationMethod.Read.All, UserAuthenticationMethod.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | UserAuthenticationMethod.Read.All, UserAuthenticationMethod.ReadWrite.All |
+
+For delegated scenarios where an admin is acting on another user, the admin needs one of the following [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles):
+* Global Administrator
+* Global Reader
+* Privileged Authentication Administrator
+* Authentication Administrator
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+GET /me/authentication/passwordMethods
+GET /users/{id | userPrincipalName}/authentication/passwordMethods
+```
+
+## Optional query parameters
+
+This method does not support optional query parameters to customize the response.
+
+## Request headers
+
+| Name |Description|
+|:-|:-|
+| Authorization | Bearer {token} |
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [passwordAuthenticationMethod](../resources/passwordauthenticationmethod.md) objects in the response body.
+
+## Examples
+
+### Request
+
+The following is an example of the request.
++
+<!-- {
+ "blockType": "request",
+ "name": "get_passwordmethods"
+}-->
+
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/me/authentication/passwordMethods
+```
+
+### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.passwordAuthenticationMethod",
+ "isCollection": true
+} -->
+
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('67273bfa-5cd8-477a-acf7-e13ff81ebf70')/authentication/passwordMethods",
+ "value": [
+ {
+ "id": "28c10230-6103-485e-b985-444c60001490",
+ "password": null,
+ "createdDateTime": null
+ }
+ ]
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "List passwordMethods",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
v1.0 Authenticationmethod Resetpassword https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/authenticationmethod-resetpassword.md
+
+ Title: "authenticationMethod: resetPassword"
+description: "Reset a user's password."
+ms.localizationpriority: medium
+++
+# authenticationMethod: resetPassword
+
+Namespace: microsoft.graph
++
+Reset a user's password, represented by a [password authentication method](../resources/passwordauthenticationmethod.md) object. This can only be done by an administrator with appropriate permissions and cannot be performed on a user's own account.
+
+This flow writes the new password to Azure Active Directory and pushes it to on-premises Active Directory if configured using password writeback. The admin can either provide a new password or have the system generate one. The user is prompted to change their password on their next sign in.
+
+This reset is a long-running operation and will return a **Location** header with a link where the caller can periodically check for the status of the reset operation.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+> [!IMPORTANT]
+> The operation cannot be performed on a user's own account. Only an administrator with the appropriate permissions can perform this operation.
+
+|Permission type | Permissions (from least to most privileged) |
+|:|:-|
+| Delegated (work or school account) | UserAuthenticationMethod.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | Not supported. |
+
+For delegated scenarios where an admin is acting on another user, the admin needs one of the following [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles):
+
+* Global Administrator
+* Privileged Authentication Administrator
+* Authentication Administrator
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+POST /users/{id | userPrincipalName}/authentication/passwordMethods/{id}/resetPassword
+```
+
+## Request headers
+
+| Name | Description |
+|:--|:--|
+| Authorization | Bearer {token}. Required. |
+| Content-type | application/json. Required. |
+
+## Request body
+
+In the request body, provide a JSON object with the following parameters.
+
+| Parameter | Type | Description |
+|:-|:|:|
+|newPassword|String|The new password. Required for tenants with hybrid password scenarios. If omitted for a cloud-only password, the system returns a system-generated password. This is a unicode string with no other encoding. It is validated against the tenant's banned password system before acceptance, and must adhere to the tenant's cloud and/or on-premises password requirements.|
+|requireChangeOnNextSignIn|Boolean | Specifies whether the user must change their password at their next sign in.|
+
+## Response
+
+If successful, this method returns a `202 Accepted` response code and a [passwordResetResponse](../resources/passwordresetresponse.md) in the response body. The response body may also include a **Location** header with a URL to check the status of the [reset operation](longrunningoperation-get.md).
+
+If the caller did not submit a password, a Microsoft-generated password is provided in a JSON object in the response body.
+
+### Response headers
+
+| Name | Description |
+|:|:-|
+|Location | URL to call to check the status of the operation. Required.|
+|Retry-after | Duration in seconds. Optional.|
+
+## Examples
+
+### Example 1: User-submitted password
+
+The following example shows how to call this API when the caller submits a password.
+
+#### Request
+
+The following is an example of the request.
++
+<!-- {
+ "blockType": "request",
+ "name": "passwordauthenticationmethod_resetpassword_adminprovided"
+}-->
+
+```http
+POST https://graph.microsoft.com/v1.0/users/6ea91a8d-e32e-41a1-b7bd-d2d185eed0e0/authentication/passwordMethods/28c10230-6103-485e-b985-444c60001490/resetPassword
+Content-type: application/json
+
+{
+ "newPassword": "Cuyo5459"
+}
++
+#### Response
+
+The following is an example of the response.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.entity"
+} -->
+
+```http
+HTTP/1.1 202 Accepted
+Content-type: application/json
+Location: https://graph.microsoft.com/v1.0/users/6ea91a8d-e32e-41a1-b7bd-d2d185eed0e0/authentication/operations/88e7560c-9ebf-435c-8089-c3998ac1ec51?aadgdc=DUB02P&aadgsu=ssprprod-a
+
+{}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "passwordAuthenticationMethod: resetPassword",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
+
+### Example 2: System-generated password
+
+The following example shows how to call this API when the caller does not submit a password.
+
+#### Request
+
+The following is an example of the request.
+
+<!-- {
+ "blockType": "request",
+ "name": "passwordauthenticationmethod_resetpassword_systemgenerated"
+}-->
+
+```http
+POST https://graph.microsoft.com/v1.0/users/6ea91a8d-e32e-41a1-b7bd-d2d185eed0e0/authentication/passwordMethods/28c10230-6103-485e-b985-444c60001490/resetPassword
++
+#### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.entity"
+} -->
+
+```http
+HTTP/1.1 202 ACCEPTED
+Location: https://graph.microsoft.com/v1.0/users/6ea91a8d-e32e-41a1-b7bd-d2d185eed0e0/authentication/operations/77bafe36-3ac0-4f89-96e4-a4a5a48da851?aadgdc=DUB02P&aadgsu=ssprprod-a
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.passwordResetResponse",
+ "newPassword": "Cuyo5459"
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "passwordAuthenticationMethod: resetPassword",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
v1.0 Longrunningoperation Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/longrunningoperation-get.md
+
+ Title: "Get longRunningOperation"
+description: "Retrieve the status of a long-running operation."
+ms.localizationpriority: medium
+++
+# Get longRunningOperation
+
+Namespace: microsoft.graph
++
+Retrieve the status of a long-running operation, represented by a [longRunningOperation](../resources/longrunningoperation.md) object. A long-running operation is initiated when you [reset a user's password](authenticationmethod-resetpassword.md). This resource type is also the base type for the richLongRunningOperation object that represents the status of a long-running operation on a [site](../resources/site.md) or a [list](../resources/list.md).
+
+The possible states of the long-running operation are `notStarted`, `running`, `succeeded`, `failed`, `unknownFutureValue` where `succeeded` and `failed` are terminal states.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+| Permission type | Permissions acting on self (from least to most privileged) | Permissions acting on others (from least to most privileged)|
+|:|:-|:--|
+| Delegated (work or school account) | UserAuthenticationMethod.Read, UserAuthenticationMethod.Read.All, UserAuthenticationMethod.ReadWrite, UserAuthenticationMethod.ReadWrite.All | UserAuthenticationMethod.Read.All, UserAuthenticationMethod.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. | Not supported. |
+| Application | Not supported. | Not supported. |
+
+For delegated scenarios where an admin is acting on another user, the admin needs one of the following [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles):
+
+* Global Administrator
+* Global Reader
+* Privileged Authentication Administrator
+* Authentication Administrator
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+GET /users/{id | userPrincipalName}/authentication/operations/{id}
+```
+
+## Optional query parameters
+
+This method does not support optional query parameters to customize the response.
+
+## Request headers
+
+| Name |Description|
+|:-|:-|
+| Authorization | Bearer {token}. Required. |
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and the requested [longRunningOperation](../resources/longrunningoperation.md) object in the response body.
+
+## Examples
+
+### Request
+
+The following is an example of the request.
++
+<!-- {
+ "blockType": "request",
+ "name": "get_longrunningoperation"
+}-->
+
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/authentication/operations/{id}
+```
+
+### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.longRunningOperation"
+} -->
+
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "status": "running",
+ "createdDateTime": "2020-03-19T12-01-03.45Z",
+ "lastActionDateTime": "2020-03-19T12-01-04.23Z",
+ "id": "2d497bb-57bd-47a6-8749-5ccd0869f2bd"
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "Get operation",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
v1.0 Passwordauthenticationmethod Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/passwordauthenticationmethod-get.md
+
+ Title: "Get passwordAuthenticationMethod"
+description: "Retrieve a user's passwordAuthenticationMethod object."
+ms.localizationpriority: medium
+++
+# Get passwordAuthenticationMethod
+
+Namespace: microsoft.graph
++
+Retrieve a password that's registered to a user, represented by a [passwordAuthenticationMethod](../resources/passwordauthenticationmethod.md) object. For security, the password itself will never be returned in the object and the **password** property is always `null`.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+### Permissions acting on self
+
+|Permission type | Permissions (from least to most privileged) |
+|:|:-|
+| Delegated (work or school account) | UserAuthenticationMethod.Read, UserAuthenticationMethod.ReadWrite |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | Not supported. |
+
+### Permissions acting on other users
+
+|Permission type | Permissions (from least to most privileged) |
+|:|:-|
+| Delegated (work or school account) | UserAuthenticationMethod.Read.All, UserAuthenticationMethod.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | UserAuthenticationMethod.Read.All, UserAuthenticationMethod.ReadWrite.All |
+
+For delegated scenarios where an admin is acting on another user, the admin needs one of the following [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles):
+* Global Administrator
+* Global Reader
+* Privileged Authentication Administrator
+* Authentication Administrator
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+GET /me/authentication/passwordMethods/{id}
+GET /users/{id | userPrincipalName}/authentication/passwordMethods/{id}
+```
+
+## Optional query parameters
+
+This method does not support optional query parameters to customize the response.
+
+## Request headers
+
+| Name |Description|
+|:-|:-|
+| Authorization | Bearer {token} |
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and the requested [passwordAuthenticationMethod](../resources/passwordauthenticationmethod.md) object in the response body.
+
+## Examples
+
+### Request
+
+The following is an example of the request.
+
+<!-- {
+ "blockType": "request",
+ "name": "get_passwordauthenticationmethod"
+}-->
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/me/authentication/passwordMethods/28c10230-6103-485e-b985-444c60001490
+```
++
+### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.passwordAuthenticationMethod"
+} -->
+
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('67273bfa-5cd8-477a-acf7-e13ff81ebf70')/authentication/passwordMethods/$entity",
+ "id": "28c10230-6103-485e-b985-444c60001490",
+ "password": null,
+ "creationDateTime": null
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "Get passwordAuthenticationMethod",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
v1.0 Userconsentrequest Filterbycurrentuser https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/userconsentrequest-filterbycurrentuser.md
The following table shows the parameters that can be used with this function.
## Optional query parameters
-This function supports theΓÇ»`$filter` OData query parameter to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+This function supports theΓÇ»`$filter` and `$select` OData query parameters to help customize the response.For general information, see [OData query parameters](/graph/query-parameters).
## Request headers
v1.0 Userconsentrequest Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/userconsentrequest-get.md
If successful, this method returns a `200 OK` response code and a [userConsentRe
} --> ``` http
-GET https://graph.microsoft.com/beta/identityGovernance/appConsent/appConsentRequests/ee245379-e3bb-4944-a997-24115f0b8b5e/userConsentRequests/acef2660-d194-4943-b927-4fe4fb5cb7e3
+GET https://graph.microsoft.com/v1.0/identityGovernance/appConsent/appConsentRequests/ee245379-e3bb-4944-a997-24115f0b8b5e/userConsentRequests/acef2660-d194-4943-b927-4fe4fb5cb7e3
``` # [C#](#tab/csharp)
v1.0 Accessreviewinstancedecisionitem https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/accessreviewinstancedecisionitem.md
Inherits from [entity](../resources/entity.md).
|:|:|:| |accessReviewId|String|The identifier of the accessReviewInstance parent. Supports `$select`. Read-only.| |appliedBy|[userIdentity](../resources/useridentity.md)|The identifier of the user who applied the decision. Read-only.|
-|appliedDateTime|DateTimeOffset|The timestamp when the approval decision was applied. The DatetimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Supports `$select`. Read-only.|
+|appliedDateTime|DateTimeOffset|The timestamp when the approval decision was applied.`00000000-0000-0000-0000-000000000000` if the assigned reviewer hasn't applied the decision or it was automatically applied. The DatetimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Supports `$select`. Read-only.|
|applyResult|String|The result of applying the decision. Possible values: `New`, `AppliedSuccessfully`, `AppliedWithUnknownFailure`, `AppliedSuccessfullyButObjectNotFound` and `ApplyNotSupported`. Supports `$select`, `$orderby`, and `$filter` (`eq` only). Read-only.| |decision|String|Result of the review. Possible values: `Approve`, `Deny`, `NotReviewed`, or `DontKnow`. Supports `$select`, `$orderby`, and `$filter` (`eq` only). | |id|String| The identifier of the decision. Inherited from [entity](../resources/entity.md). Supports `$select`. Read-only.|
Inherits from [entity](../resources/entity.md).
|recommendation|String|A system-generated recommendation for the approval decision based off last interactive sign-in to tenant. Recommend approve if sign-in is within thirty days of start of review. Recommend deny if sign-in is greater than thirty days of start of review. Recommendation not available otherwise. Possible values: `Approve`, `Deny`, or `NoInfoAvailable`. Supports `$select`, `$orderby`, and `$filter` (`eq` only). Read-only.| |resource|[accessReviewInstanceDecisionItemResource](../resources/accessreviewinstancedecisionitemresource.md)|Every decision item in an access review represents a principal's access to a resource. This property represents details of the resource. For example, if a decision item represents access of User "Bob" to Group "Sales" - The principal is Bob and the resource is "Sales". Resources can be of multiple types. See [accessReviewInstanceDecisionItemResource](../resources/accessreviewinstancedecisionitemresource.md). Read-only.| |resourceLink|String|A link to the resource. For example, `https://graph.microsoft.com/v1.0/servicePrincipals/c86300f3-8695-4320-9f6e-32a2555f5ff8`. Supports `$select`. Read-only.|
-|reviewedBy|[userIdentity](../resources/useridentity.md)| The identifier of the reviewer. Supports `$select`. Read-only.|
+|reviewedBy|[userIdentity](../resources/useridentity.md)| The identifier of the reviewer.`00000000-0000-0000-0000-000000000000` if the assigned reviewer hasn't reviewed. Supports `$select`. Read-only.|
|reviewedDateTime|DateTimeOffset| The timestamp when the review decision occurred. Supports `$select`. Read-only.| ## Relationships
v1.0 Accessreviewreviewerscope https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/accessreviewreviewerscope.md
Title: "accessReviewReviewerScope resource type"
-description: "Represents who will review an access review."
+description: "Represents reviewers of an access review or user consent requests."
ms.localizationpriority: medium ms.prod: "governance"
doc_type: resourcePageType
Namespace: microsoft.graph
-The accessReviewReviewerScope defines who will review instances of an [accessReviewScheduleDefinition](accessreviewscheduledefinition.md). It is an OData query that allows reviewers to be specified both as a static list of users (that is, specific users, group owners, and group members) or dynamically in which every user is reviewed by their manager or by group owners. To create a self-review (where users review their own access), do not provide reviewers on [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) creation.
+The **accessReviewReviewerScope** defines who will review instances of an [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) or [user consent requests](consentrequests-overview.md).
+
+Reviewers can be specified as a static list of users (that is, specific users, group owners, and group members) or dynamically in which every user is reviewed by their manager, group or application owners. To create a self-review (where users review their own access) in Azure AD access reviews, the **reviewers** property of the [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) should be an empty collection.
Inherits from [accessReviewScope](../resources/accessreviewscope.md). ## Properties | Property | Type | Description | | :-| :- | :- |
-| query | String | The query specifying who will be the reviewer. See table for examples. |
+| query | String | The query specifying who will be the reviewer.|
| queryType | String | The type of query. Examples include `MicrosoftGraph` and `ARM`. | | queryRoot | String | In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query, for example, `./manager`, is specified. Possible value: `decisions`. |
v1.0 Adminconsentrequestpolicy https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/adminconsentrequestpolicy.md
Title: "adminConsentRequestPolicy resource type"
-description: "Specifies the policy by which consent requests can be created and managed for the entire tenant."
+description: "Represents the policy for enabling or disabling the Azure AD admin consent workflow."
ms.localizationpriority: medium ms.prod: "governance"
doc_type: resourcePageType
Namespace: microsoft.graph
-Specifies the policy by which consent requests are created and managed for the entire tenant. There is a single **adminConsentRequestPolicy** per tenant.
-
-The **adminConsentRequestPolicy** provides additional settings when creating a consent request, to control the feature behavior when starting a consent request.
+Represents the policy for enabling or disabling the Azure AD admin consent workflow. The admin consent workflow allows users to request access for apps that they wish to use and that require admin authorization before users can use the apps to access organizational data. There is a single **adminConsentRequestPolicy** per tenant.
## Methods
v1.0 Appconsentrequest https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/appconsentrequest.md
Title: "appConsentRequest resource type"
-description: "A request that represents a collection of userConsentRequest objects for a specific application."
+description: "Represents the request that a user creates when they request the tenant admin for consent to access an app or to grant permissions to an app."
ms.localizationpriority: medium ms.prod: "governance"
doc_type: resourcePageType
Namespace: microsoft.graph
-A collection of [userConsentRequest](../resources/userconsentrequest.md) objects for a specific application.
+Represents the request that a user creates when they request the tenant admin for consent to access an app or to grant permissions to an app. The details include the app that the user wants access to be granted to on their behalf and the permissions that the user is requesting.
+
+The user can create a consent request when an app or a permission requires admin authorization and only when the [admin consent workflow](adminconsentrequestpolicy.md) is enabled.
## Methods
A collection of [userConsentRequest](../resources/userconsentrequest.md) objects
|Relationship|Type|Description| |:|:|:|
-|userConsentRequests|[userConsentRequest](../resources/userconsentrequest.md) collection|A list of pending user consent requests.|
+|userConsentRequests|[userConsentRequest](../resources/userconsentrequest.md) collection|A list of pending user consent requests. Supports `$filter` (`eq`).|
## JSON representation
v1.0 Approvalstage https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/approvalstage.md
Specifies a decision stage in an [approval](approval.md).
|id|String|The identifier of the stage associated with an approval object. Read-only.| |justification|String|The justification associated with the approval stage decision.| |reviewResult|String|The result of this approval record. Possible values include: `NotReviewed`, `Approved`, `Denied`.|
-|reviewedBy|[identity](identity.md) | The identifier of the reviewer. Read-only.|
+|reviewedBy|[identity](identity.md) | The identifier of the reviewer. `00000000-0000-0000-0000-000000000000` if the assigned reviewer hasn't reviewed. Read-only.|
|reviewedDateTime|DateTimeOffset|The date and time when a decision was recorded. The date and time information uses ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only.| |status|String|The stage status. Possible values: `InProgress`, `Initializing`, `Completed`, `Expired`. Read-only.|
v1.0 Authentication https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/authentication.md
None.
|fido2Methods|[fido2AuthenticationMethod](../resources/fido2authenticationmethod.md) collection|Represents the FIDO2 security keys registered to a user for authentication.| |methods|[authenticationMethod](../resources/authenticationmethod.md) collection| Represents all authentication methods registered to a user.| |microsoftAuthenticatorMethods|[microsoftAuthenticatorAuthenticationMethod](../resources/microsoftauthenticatorauthenticationmethod.md) collection| The details of the Microsoft Authenticator app registered to a user for authentication. |
+|operations|[longRunningOperation](../resources/longrunningoperation.md) collection|Represents the status of a long-running operation.|
+|passwordMethods|[passwordAuthenticationMethod](../resources/passwordauthenticationmethod.md) collection|Represents the password that's registered to a user for authentication. For security, the password itself will never be returned in the object, but action can be taken to reset a password.|
|phoneMethods|[phoneAuthenticationMethod](../resources/phoneauthenticationmethod.md) collection|The phone numbers registered to a user for authentication.| |softwareOathMethods|[softwareOathAuthenticationMethod](../resources/softwareoathauthenticationmethod.md) collection|The software OATH TOTP applications registered to a user for authentication.| |temporaryAccessPassMethods|[temporaryAccessPassAuthenticationMethod](../resources/temporaryaccesspassauthenticationmethod.md) collection|Represents a Temporary Access Pass registered to a user for authentication through time-limited passcodes.| |windowsHelloForBusinessMethods|[windowsHelloForBusinessAuthenticationMethod](../resources/windowshelloforbusinessauthenticationmethod.md) collection|Represents the Windows Hello for Business authentication method registered to a user for authentication.| + ## JSON representation The following is a JSON representation of the resource. <!-- {
v1.0 Consentrequests Overview https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/consentrequests-overview.md
Title: "Azure Active Directory consent requests"
-description: "Use Azure AD consent requests to manage the request workflow for users attempting to access apps that require admin consent."
+description: "Use the consent request APIs to configure the consent request workflow and to manage consent requests for users attempting to access apps that require admin consent."
ms.localizationpriority: medium ms.prod: "governance"
Namespace: microsoft.graph
Azure Active Directory (Azure AD) consent requests help you manage the request workflow for users attempting to access apps that require admin approval.
-To allow users to request access or admin consent for applications they're unauthorized to grant consent to themselves, first enable the consent request workflow.
+Before an app can be used to access any data in your organization, the admin must consent for it to be used in the tenant. In addition, before a user can grant a consented application specific permissions to act on their behalf, the admin must also consent for users to be allowed to consent to those permissions for the app. Consent management is one way that Azure AD helps organizations to enforce application and data security.
+
+The Azure AD consent workflow allows users to request the tenant admins to grant consent to apps that require admin approval. The consent requests APIs in Microsoft Graph allows admin to configure the consent workflow and track consent requests for both apps and users.
>[!NOTE] >The current APIs are limited to configuring the workflow and reading the list of requests. At this time, there arenΓÇÖt any methods available to programmatically approve or deny a request. However, the contents of the request can be used to recreate a URL which can be used to grant admin consent and approve a request. [!INCLUDE [GDPR-related-guidance](../../includes/gdpr-msgraph-export-note.md)]
-The consent request resource types include:
+## Configure the admin consent workflow
+
+The admin consent policy specifies whether users can request for admin consent for apps that require admin authorization for the tenant. Use the [adminConsentRequestPolicy](../resources/adminconsentrequestpolicy.md) resource type and its associated methods to configure the admin consent workflow as follows:
++ Enable or disable the consent workflow.++ Configure reviewers of admin consent requests.++ Configure how long a pending request is valid before it expires and the principals who are notified of pending requests.+
+## Retrieve app consent requests
+
+When a user requests for consent to use an app in the organization or to grant permissions to an app, they create a consent request for the app. App consent requests are retrieved through the [appConsentRequest](../resources/appconsentrequest.md) resource type and its associated methods.
-* [adminConsentRequestPolicy](../resources/adminconsentrequestpolicy.md): Specifies the policy by which app consent requests can be created and managed for the entire tenant. There is a single **adminConsentRequestPolicy** per tenant.
-* [appConsentRequest](../resources/appconsentrequest.md): A request that represents a collection of **userConsentRequest** objects for a specific application.
-* [userConsentRequest](../resources/userconsentrequest.md): A request created by a user to use an app that requires admin consent to access.
-* [appConsentRequestScope](../resources/appconsentrequestscope.md): A resource that contains details of the dynamic permission scopes being requested for an application.
+You can:
++ Retrieve all app consent requests and the associated collection of user consent requests for the app. An app consent request may have one or more user consent requests representing multiple requests from the same or multiple users.++ Retrieve the permissions that the user has requested for the app on their behalf.++ Use `$filter` to match against pending requests.++ Retrieve the app consent requests for which the signed-in user is the creator of the request.
-## Methods
+## Retrieve user consent requests
-The following table lists the methods that you can use to interact with consent request resources.
+When a user requests for consent to use an app in the organization or to grant permissions to an app, they create a consent request for the tenant admin to allow them to use the app. User consent requests are retrieved through the [userConsentRequest](../resources/userconsentrequest.md) resource type and its associated methods.
-| Method | Return type |Description|
-|:|:--|:-|
-|[Get adminConsentRequestPolicy](../api/adminconsentrequestpolicy-get.md) | [adminConsentRequestPolicy](adminconsentrequestpolicy.md) collection | Read the properties of the [adminConsentRequestPolicy](adminconsentrequestpolicy.md). |
-|[Update adminConsentRequestPolicy](../api/adminconsentrequestpolicy-update.md) | [adminConsentRequestPolicy](adminconsentrequestpolicy.md) collection | Set configurations for the [adminConsentRequestPolicy](adminconsentrequestpolicy.md). |
-|[List appConsentRequests ](../api/appconsentapprovalroute-list-appconsentrequests.md) | [appConsentRequest](appconsentrequest.md) collection | Retrieve a collection of [appConsentRequest](appconsentrequest.md) objects. |
-|[Get appConsentRequests ](../api/appconsentrequest-get.md) | [appConsentRequest](appconsentrequest.md) collection | Read an [appConsentRequest](appconsentrequest.md) object. |
-|[appConsentRequest: filterByCurrentUser](../api/appconsentrequest-filterByCurrentUser.md) | [appConsentRequests](../resources/appconsentrequest.md) collection | Read the properties of [appConsentRequest](../resources/appconsentrequest.md) objects for which the current user is the reviewer and the status of the user consent request is `InProgress`. |
-|[Get userConsentRequest ](../api/userconsentrequest-get.md) | [userConsentRequest](userconsentrequest.md) collection | Read a [userConsentRequest](userconsentrequest.md) object for an [appConsentRequest](appconsentrequest.md). |
-|[List userConsentRequests ](../api/appconsentrequest-list-userconsentrequests.md) | [userConsentRequest](userconsentrequest.md) collection | Retrieve a collection of [userConsentRequest](userconsentrequest.md) objects for an [appConsentRequest](appconsentrequest.md). |
-|[userConsentRequest: filterByCurrentUser](../api/userconsentrequest-filterByCurrentUser.md) | [appConsentRequests](../resources/userconsentrequest.md) collection | Read the properties of [userConsentRequest](../resources/userconsentrequest.md) objects for which the current user is the reviewer. |
+You can:
++ Retrieve the details about the user consent requests.++ Retrieve the stages of approval that the consent request went through. The approval process is currently a single-stage process.++ Retrieve the status of the approvals, whether pending or completed, and whether the reviewers decisions were to deny or approve the consent request. ## Role and delegated permission authorization checks
-The following directory roles are required for a calling user to manage the requests workflow or read the list of requests.
+The following directory roles are required for a calling application.
| Operation | Delegated permissions | Required directory role of the calling user | |:|:|:--|
-| Read | ConsentRequest.Read.All, ConsentRequest.ReadWrite.All | Global Administrator, Global Reader, Cloud App Administrator, and Application Administrator |
+| Read | ConsentRequest.Read.All, ConsentRequest.ReadWrite.All | Global Reader, Cloud App Administrator, Application Administrator, or Global Administrator |
## See also
v1.0 Enums https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/enums.md
Namespace: microsoft.graph
|outOfOffice| |unknownFutureValue|
+### signInFrequencyAuthenticationType values
+
+|Member|
+|:|
+|primaryAndSecondaryAuthentication|
+|secondaryAuthentication|
+|unknownFutureValue|
+
+### signInFrequencyInterval values
+
+|Member|
+|:|
+|timeBased|
+|everyTime|
+ ### crossTenantAccessPolicyTargetConfigurationAccessType values |Member|
v1.0 Longrunningoperation https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/longrunningoperation.md
+
+ Title: "longRunningOperation resource type"
+description: "The status of a long-running operation."
+ms.localizationpriority: medium
+++
+# longRunningOperation resource type
+
+Namespace: microsoft.graph
+
+The status of a long-running operation.
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|createdDateTime|DateTimeOffset|The start time of the operation.|
+|id|String|The unique identifier of the operation |
+|lastActionDateTime|DateTimeOffset|The time of the last action in the operation.|
+|resourceLocation|String| URI of the resource that the operation is performed on. |
+|status|longRunningOperationStatus|The status of the operation. The possible values are: `notStarted`, `running`, `succeeded`, `failed`, `unknownFutureValue`.|
+|statusDetail|String|Details about the status of the operation.|
++
+## JSON representation
+
+Here is a JSON representation of the resource.
+
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.longRunningOperation",
+ "baseType": "microsoft.graph.entity",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.longRunningOperation",
+ "id": "String (identifier)",
+ "createdDateTime": "String (timestamp)",
+ "lastActionDateTime": "String (timestamp)",
+ "resourceLocation": "String",
+ "status": "String",
+ "statusDetail": "String"
+}
+```
+
+<!-- uuid: 13fa92b1-3b41-498b-aab1-f943464a124f
+2018-03-30 10:29:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "operation resource",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
+
v1.0 Passwordauthenticationmethod https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/passwordauthenticationmethod.md
+
+ Title: "passwordAuthenticationMethod resource type"
+description: "A representation of a user's password."
+ms.localizationpriority: medium
+++
+# passwordAuthenticationMethod resource type
+
+Namespace: microsoft.graph
++
+A representation of a user's password. For security, the password itself will never be returned in the object, but action can be taken to reset a password.
+
+Inherits from [authenticationMethod](../resources/authenticationmethod.md).
+
+## Methods
+
+| Method | Return Type | Description |
+|:-|:|:|
+|[List passwordMethod](../api/authentication-list-passwordmethods.md) | [passwordAuthenticationMethod](passwordauthenticationmethod.md) collection | Read the properties and relationships of a user's **passwordAuthenticationMethod** objects. |
+|[Get passwordAuthenticationMethod](../api/passwordauthenticationmethod-get.md) | [passwordAuthenticationMethod](passwordauthenticationmethod.md) | Read the properties and relationships of a user's **passwordAuthenticationMethod** object. |
+|[Reset password](../api/authenticationmethod-resetpassword.md)|None|Reset a user's password in the cloud and, if synced, on-premises.|
+
+## Properties
+
+| Property | Type | Description |
+|:-|:|:|
+|createdDateTime|DateTimeOffset|The date and time when this password was last updated. This property is currently not populated. Read-only. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|
+|id|String| The identifier of this password registered to this user. This is generally `28c10230-6103-485e-b985-444c60001490`. Read-only.|
+|password|String|For security, the password is always returned as `null` from a LIST or GET operation.|
+
+## Relationships
+
+None.
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+
+<!-- {
+ "blockType": "resource",
+ "optionalProperties": [
+
+ ],
+ "@odata.type": "microsoft.graph.passwordAuthenticationMethod",
+ "keyProperty": "id"
+}-->
+
+```json
+{
+ "creationDateTime": "String (timestamp)",
+ "id": "String (identifier)",
+ "password": "String"
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "passwordAuthenticationMethod resource",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
++
v1.0 Passwordresetresponse https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/passwordresetresponse.md
+
+ Title: "passwordResetResponse resource type"
+description: "Represents the new system-generated password after a password reset operation."
+
+ms.localizationpriority: medium
++
+# passwordResetResponse resource type
+
+Namespace: microsoft.graph
+
+Represents the new system-generated password after a [password reset operation](../api/authenticationmethod-resetpassword.md).
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|newPassword|String|The Azure AD-generated password.|
+
+## Relationships
+None.
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "@odata.type": "microsoft.graph.passwordResetResponse"
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.passwordResetResponse",
+ "newPassword": "String"
+}
+```
v1.0 Signinfrequencysessioncontrol https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/signinfrequencysessioncontrol.md
Title: "signInFrequencySessionControl resource type" description: "Session control to enforce signin frequency." ms.localizationpriority: medium-+ ms.prod: "identity-and-sign-in" doc_type: "resourcePageType"
Session control to enforce sign-in frequency. Inherits from [Conditional Access
|isEnabled |Boolean | Specifies whether the session control is enabled. | |type |signinFrequencyType| Possible values are: `days`, `hours`.| |value |Int32 | The number of `days` or `hours`.|
+|authenticationType |signInFrequencyAuthenticationType | The possible values are `primaryAndSecondaryAuthentication`, `secondaryAuthentication`, `unknownFutureValue`.|
+|frequencyInterval |signInFrequencyInterval | The possible values are `timeBased`, `everyTime`, `unknownFutureValue`.|
## Relationships
The following is a JSON representation of the resource.
```json {
- "isEnabled": true,
+ "isEnabled":true,
"type": "String",
- "value": 1024
+ "value": 1024,
+ "authenticationType": "String",
+ "frequencyInterval": "String"
} ```
v1.0 Userconsentrequest https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/userconsentrequest.md
Title: "userConsentRequest resource type"
-description: "A request created by a user to use an app that requires access to organizational data the user is unauthorized to grant consent to themselves."
+description: "Represents the details of the request that a user creates when they request the tenant admin for consent to access an app or to grant permissions to an app. The details include justification for requesting access, the status of the request, and the approval details."
ms.localizationpriority: medium ms.prod: "governance"
doc_type: resourcePageType
Namespace: microsoft.graph
-A [userConsentRequest](../resources/userconsentrequest.md) is created by a user when they are requesting access to an application which requires an admin authorization to access.
+Represents the details of the consent request a user creates when they request to access an app or to grant permissions to an app. The details include justification for requesting access, the status of the request, and the approval details.
+
+The user can create a consent request when an app or a permission requires admin authorization and only when the [admin consent workflow](adminconsentrequestpolicy.md) is enabled.
## Methods
v1.0 Toc.Yml https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/toc.yml a/api-reference/v1.0/toc.yml
items:
href: api/certificatebasedauthconfiguration-get.md - name: Delete href: api/certificatebasedauthconfiguration-delete.md
+ - name: Password
+ href: resources/passwordauthenticationmethod.md
+ items:
+ - name: List
+ href: api/authentication-list-passwordmethods.md
+ - name: Get
+ href: api/passwordauthenticationmethod-get.md
+ - name: Reset
+ href: api/authenticationmethod-resetpassword.md
+ - name: Get operation status
+ href: api/longrunningoperation-get.md
- name: Temporary Access Pass href: resources/temporaryaccesspassauthenticationmethod.md items: